Abstract
Malicious traffic detection allows for preventing cybersecurity-related threats. Machine learning algorithms are commonly used to detect such traffic in computer networks by analyzing packets. In wide-area networks, such as RedCAYLE (Red de Ciencia y Tecnología de Castilla y León), it is not possible to analyze every packet routed. So we pose that in such networks sampled flow data may be used to provide malicious traffic detection. This work presents the analysis carried out of the relevance that every NetFlow feature has in the K-Nearest Neighbors (KNN) algorithm in order to detect malicious traffic. Validation of the model has been carried out with real network data from RedCAYLE. Results show that it is necessary to train the models with sampled flow data. They also show that the nexthop feature has a negative influence on malicious traffic detection in wide-area networks such as RedCAYLE.
The research described in this article has been partially funded by Instituto Nacional de Ciberseguridad de España (INCIBE), under the grant “ADENDA 4: detección de nuevas amenazas y patrones desconocidos (red Regional de Ciencia y Tecnología)”, addendum to the framework agreement INCIBE-Universidad de León, 2019–2021; the Spanish Ministry of Science, Innovation, and Universities RTI2018-100683-B-I00 grant; and the regional Government of Castilla y León under the grant BDNS (487971).
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Boukhamla, A., Coronel, J.: CICIDS 2017 dataset: performance improvements and validation as a robust intrusion detection system testbed. Int. J. Inform. Comput. Secur. 9 (2018)
Campazas-Vega, A., Crespo-Martínez, I.: Source code DOROTHEA attacks generation. https://niebla.unileon.es/cybersecurity/dorothea/-/tree/master/labs/lab_attacks/attacks. Accessed 13 Mar 2021
Campazas-Vega, A., Crespo-Martínez, I.: Source code DOROTHEA normal traffic generation. https://niebla.unileon.es/cybersecurity/dorothea/-/tree/master/labs/lab_normal/generator/generate-traffic. Accessed 13 Mar 2021
Campazas-Vega, A., Crespo-Martínez, I.S., Guerrero-Higueras, Á.M., Fernández-Llamas, C.: Flow-data gathering using netflow sensors for fitting malicious-traffic detection models. Sensors 20(24), 7294 (2020)
Cisco: About Cisco (2021). https://www.cisco.com/. Accessed 13 Mar 2021
Claise, B., Zander, S.: Network working group J. Quittek Request for Comments: 3917 nec europe ltd. category: Informational t. zseby fraunhofer fokus (2004)
Claise, B., Sadasivan, G., Valluri, V., Djernaes, M.: Cisco systems netflow services export version 9 (2004)
Claise, B., Trammell, B., Aitken, P.: Specification of the IP flow information export (ipfix) protocol for the exchange of flow information. RFC 7011 (Internet Standard), Internet Engineering Task Force, pp. 2070–1721 (2013)
Fernández, A.G., et al.: Evaluación del resultado académico de los estudiantes a partir del análisis del uso de los sistemas de control de versiones. RIED. Rev. Iberoamericana Educación a Dist. 23(2), 127–145 (2020)
Guerrero-Higueras, Á.M., Campazas-Vega, A., Crespo-Martínez, I.S.: Module evaluator (moev). Technical report, Robotics group, Universidad de León (2020). https://doi.org/10.5281/zenodo.4114127
Guerrero-Higueras, Á.M., DeCastro-García, N., Matellán, V.: Detection of cyber-attacks to indoor real time localization systems for autonomous robots. Robot. Auton. Syst. 99, 75–83 (2018)
Guerrero-Higueras, Á.M., DeCastro-García, N., Rodriguez-Lera, F.J., Matellán, V., Conde, M.Á.: Predicting academic success through students’ interaction with version control systems. Open Compu. Sci. 9(1), 243–251 (2019)
Guerrero-Higueras, Á.M., Fernández Llamas, C., Sánchez González, L., Gutierrez Fernández, A., Esteban Costales, G., González, M.Á.C.: Academic success assessment through version control systems. Appl. Sci. 10(4), 1492 (2020)
ipt\(\_\)NetFlow: Source code ipt\(\_\)NetFlow. https://github.com/aabc/ipt-NetFlow. Accessed 13 Mar 2021
Lyon, G.F.: Nmap network scanning: the official Nmap project guide to network discovery and security scanning. Insecure (2009)
Nawir, M., Amir, A., Lynn, O.B., Yaakob, N., Ahmad, R.B.: Performances of machine learning algorithms for binary classification of network anomaly detection system. In: Journal of Physics: Conference Series. vol. 1018, p. 012015 (2018)
Nawir, M., Amir, A., Yaakob, N., Lynn, O.B.: Effective and efficient network anomaly detection system using machine learning algorithm. Bull. Electr. Eng. Inform. 8(1), 46–51 (2019)
Parekh, J.J., Wang, K., Stolfo, S.J.: Privacy-preserving payload-based correlation for accurate malicious traffic detection. In: Proceedings of the 2006 SIGCOMM Workshop on Large-Scale Attack Defense, pp. 99–106 (2006)
Pena, E.H.M., Barbon, S., Rodrigues, J.J.P.C., Proença, M.L.: Anomaly detection using digital signature of network segment with adaptive ARIMA model and paraconsistent logic. In: 2014 IEEE Symposium on Computers and Communications (ISCC), pp. 1–6 (2014). https://doi.org/10.1109/ISCC.2014.6912503
Python: About python (2021). https://www.python.org/about/. Accessed 13 Mar 2021
RedIRIRS: About redirirs (2021). https://www.rediris.es/rediris/index.html.es. Accessed 13 Mar 2021
Sobrín-Hidalgo, D., Campazas Vega, A., Guerrero Higueras, Á.M., Rodríguez Lera, F.J., Fernández-Llamas, C.: Systematic mapping of detection techniques for advanced persistent threats. In: Herrero, Á., Cambra, C., Urda, D., Sedano, J., Quintián, H., Corchado, E. (eds.) CISIS 2019. AISC, vol. 1267, pp. 426–435. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-57805-3_40
Tama, B.A., Comuzzi, M., Rhee, K.H.: TSE-IDS: a two-stage classifier ensemble for intelligent anomaly-based intrusion detection system. IEEE Access 7, 94497–94507 (2019). https://doi.org/10.1109/ACCESS.2019.2928048
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Campazas-Vega, A., Crespo-Martínez, I.S., Guerrero-Higueras, Á.M., Álvarez-Aparicio, C., Matellán, V. (2022). Analysis of NetFlow Features’ Importance in Malicious Network Traffic Detection. In: Gude Prego, J.J., de la Puerta, J.G., García Bringas, P., Quintián, H., Corchado, E. (eds) 14th International Conference on Computational Intelligence in Security for Information Systems and 12th International Conference on European Transnational Educational (CISIS 2021 and ICEUTE 2021). CISIS - ICEUTE 2021. Advances in Intelligent Systems and Computing, vol 1400. Springer, Cham. https://doi.org/10.1007/978-3-030-87872-6_6
Download citation
DOI: https://doi.org/10.1007/978-3-030-87872-6_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-87871-9
Online ISBN: 978-3-030-87872-6
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)